VeriSign Takes Aim at Open Source DNS

At the heart of the Internet is DNS (define),
the system that translates domain names into IP addresses. For the last two
decades, the world of open source DNS has been dominated by a single technology
-- BIND (Berkeley Internet Name Domain).

Now VeriSign, the company that runs that .com and .net domains, is aiming to
provide an open source alternative to BIND, called Unbound.

"Until now, if you wanted a free recursive name server, you really only had
one choice, BIND," Matt Larson, director of DNS research at VeriSign, told
InternetNews.com. "We wanted to create an alternative to BIND -- we think
that diversity is a good thing and we wanted to give something back to the
community."

In addition to VeriSign, the Unbound effort is sponsored by UK domain
registry Nominet and is being actively developed by Dutch technology research
group NLnet Labs.

Larson said the idea behind Unbound 1.0 was to design the perfect recursive
name server from scratch. Starting with a clean slate enabled developers to
create a server designed around performance, while also including support for
DNSSEC (DNS security extensions) right from the beginning.

While the extensions add integrity and authentication checks to DNS data,
Larson said DNSSEC deployment to date has been hindered its performance
impact. (BIND has had DNSSEC since at least the BIND 9.3
release in 2004.)

"Performance is a concern since DNSSEC is adding a lot of additional
processing to the resolution path," Larson said. "The advantage of Unbound being
high-performance is you want everything to happen as fast as possible. That
would help address people concerns about DNSSEC."

He added that VeriSign would not use Unbound to manage the .com or .net
registries, which are currently managed with VeriSign's Atlas authoritative DNS
software. Still, Larson did note that VeriSign is using Unbound internally as a
recursive DNS tool.

Whither BIND?

The debut of Unbound 1.0 marks the culmination of four years of development
aimed at offering a new choice for DNS. While BIND now plays a critical role in
the Internet's operation, supporters of the new Unbound server believe it, too,
may come to serve its own critical function.

"We like and have a lot of respect for the people at NLnet Labs, where this
was built, and we like the license they chose -- BSD-derived, like ours, and
we're happy to have another fellow traveler," said Vixie, who also co-founded
Internet Systems Consortium (ISC), which helps to maintain, develop and support
BIND.

He told InternetNews.com that although he supposed Unbound could
represent a new form of competition to BIND, it's actually a good thing in a
broader context.

"Competing to see who can give more software away sounds like it will be
good for the community," Vixie said. "ISC, as a public-benefit, non-profit
company, is happy that the community will get the boon of this kind of
competition."

The competition could also potentially end up making BIND itself
better. Considering that Unbound is open source, BIND developers could use code
from Unbound if it made sense to do so.

"We have not looked at it yet to see if there are good ideas we can crib,
but rest assured, if there's a better way to do something, ISC will study it
carefully and learn or adopt what we can from it," Vixie said.

"The final measure of our success is always 'How well does it work?' and
never, 'Whose idea was it?'"

VeriSign's Larson added that Unbound is not meant to single out what is
wrong with BIND, merely about offering an alternative.